The Password Is Dead

It’s not going to be too long before you’ll have to have your face scanned before you can open your email, at the rate the password cracking arms race is going.

One method harnesses a commonly available graphics processor to perform guesstimates at two teraflops – 2 trillion operations per second. Another is even faster, using an off-the shelf SSD drive to brute force crack 14 character complex passwords in 5 seconds.

For now, the best solution is to create a password out of an easily-memorized sentence that consists of upper and lower case characters and special characters, but it seems it won’t be long before even that is not good enough.

So what’s the solution? Perhaps not fingerprint scanners. A roll-call system based on fingerprints was pitched to parents of one Australia school, but it could be circumvented by making copies of their fingerprints on gummy bears and having their mates scan in for them. Perhaps the best argument for the need for two-factor authentication is that Windows8 will support facial recognition login. By the time Microsoft gets around to implementing a new technology, you can assume its time is well past due.

Really. The next step past gummy-bear thumbprints is printouts of people held up in front of the scanner. Or, if you have top-secret clearance and someone wants in to your computer, they’ll simply cut off your head and hold it up.

I went to a presentation on facial recognition. It’s not there yet. They showed pictures of two women who were clearly different ages and races, and the facial recognition saw them as being the same person. But they showed two pictures of the same woman, smiling and not smiling, and it didn’t recognize her.

The moral of the story is, if you’re on an episode of NCIS, and you’re trying to fool the facial recognition scanners, just keep smiling.

Not to mention that once they steal the digital version of your face that is used to authenticate you there will be no way to change or revoke it. Biometric Authentication belongs in James Bond movies and not in real life.

Someone gets a copy of a database of usernames/passwords (passwords being encrypted in something like AES128 so that it’s FIPS compliant), then you just compare password hashes until you find the matching one.

Saw this the other day on TV… weird editing where they eliminated the words “Jesus Christ” and then they skipped over the part where Matthew Broderick used the pull-tab to hack into the pay phone. As if that were still possible, and as if there we pull-tabs lying around lol…

This has been a known flaw in the fingerprint biometrics for some time. Fingerprint scanners are ridiculous. They typically get their screen smudged so the machine can’t even read a fingerprint correctly in the first place. Then Microsoft went and stored this biometric data unencrypted when it first came out (not sure if this has been fixed or not).
In general biometrics (as with most security) can and will be defeated. Either the technology or the people using it will be circumvented. The reality is that people too often want both convenience and security, which don’t go hand in hand, so they circumvent their own security to make it easier to log in to their bank account or check their email or whatever.
We honestly won’t have secure systems until we educate people to always err on the side of security. Instead I have to deal with people like my wife that say working in IT Security has made me paranoid.

Some of the current laptops use facial recognition for login. The problem is that it has to allow some degree of variability to work and I’m not even mentioning makeup, haircuts and styling. The human face is rather generic so I think it would be easy to fake it out. If nothing else, you could hold an 8×10 in front of the webcam and you’re in like Flynn.

Biometrics aren’t even a good idea when you ignore that factor. They’re expensive and a pain in the ass to use. Do you really want to pay a guy to wipe down the hand scanners into a building 30 times a day because they get so gunked up with oils that they stop reading properly? Do you want to be locked out of your computer because you scratched up your hands or got conjunctivitis?

Furthermore finger prints make for a lousy authentication method. People leave their finger prints everywhere. Remember fingerprinting was developed to catch people. At best they should be used as a login id, not a password.

This is asinine. The password isn’t anymore dead than the locks on your front door. Merely because people can break into your house through a window does not mean we should stop using locks on our doors.

It’s a simple fact that there is no such thing as a perfect “lock.” Any lock which allows one person to get in, means that it’s logically possible for any person to get in. Nothing will change this.

Just as there have been centuries of breaking and entering, there will be centuries of computer hacking. Anyone who hopes for or works towards a perfect system is an idiot.

Facial recognition as a password would be great, then I can just decapitate the people I want to steal from :D Or just take off a few faces and wear them… either way, that’s a win win scenario if ever there was one.

No no no. That’s not how quantum computing works. There are certain problems that quantum computers can solve faster (factoring, which a lot of modern online does rely on), but they’re not some magic bullet that makes everything obsolete. Reversing most hashes, for example, is still going to be incredibly slow.

Darn…and I just went through all my old passwords and upgraded them to 13-15 characters. Most of them vary just a bit, so I have to use a program to store them all, as there is no way I will remember them before getting locked out.

Ok… after a back of the envelope calculation (thanks Enrico) I’m going to have to call bullshit on some of this. For computational simplicity let’s suppose that there are 100 characters available to choose from(that’s actually a little less than what’s available). Now let’s say that you choose (as specified in the article) a 14 character password. That’s 100^14 possible permutations or 10^28. 2*10^12 permutations per second (again from the article) divided into the possible number of permutations is 5*10^15 seconds. That’s well into the millions of years(1 billion seconds is about 32 years, 1 trillion seconds is about 32,000 years and finally 1 quadrillion seconds is ~ 32 million years). So if the SSD drive broke such a password in 5 seconds it has to be MANY orders of magnitude faster than 2*10^12 P/s. In short, the basic arithmetic of this scenario doesn’t add up.

Rainbow tables… You keep every possible form of the encrypted password in huge hash tables and work from there. Memory sizes have limited the use of rainbow tables in the past as long as people used strong passwords. This is one reason dictionary words are so bad.

Creating a rainbow table of password+hash pairs is fairly simple as you’d just run the hash over and over on different potential passwords. You can’t do the same for encrypted passwords because you don’t know the encryption key.

Sorry, it just really bugs me when people use the words hashed and encrypted interchangeably. They’re not the same thing.

Two things. First, people doing serious password cracking use more than one method. Random brute forcing is the *last* thing they would choose, for exactly the reason you state. Besides the already mentioned rainbow tables, a common method is a dictionary based attack, where the cracker tries permutations of the most common passwords.

The second thing is that most passwords are significantly less than 14 characters. Most financial websites don’t even let you use a password that’s more than 8 characters, and a lot of those don’t allow more than letters and numbers.

At defcon last summer, the winner of the password cracking competition cracked 38,000 of the 50,000 passwords they were given in less than 48 hours. Granted that the passwords were all shorter than 14 characters, but IIRC, the winners used 5 normal, everyday machines with high end graphics cards, and used the GPU on the graphics cards to do the cracking.

Don’t try hacking my wifi password, though. WPA allows 63 character passwords, and I use most of that…

Each character you add to a password increases the difficulty in cracking it exponentially, so even if fourteen-character passwords can be cracked in 5 seconds, fifteen character passwords will take much longer. Unfortunately, a lot of password systems don’t allow extremely long passwords, or prohibit spaces (so you can’t do pass-sentences). For expert typists, anyway, typing eight words doesn’t take much longer than typing eight random characters, because our fingers are used to typing in our native language. Slower typists would have problems, but you can ameliorate that by having one master password that gets you into your computer, and have the computer handle the rest via public-key cryptography etc (or let the computer remember your Amazon password, so that you can have a different one for each site).

What kind of crappy computer system lets you, or another computer, enter passwords infinitely. Most computer systems I have worked on in my life give you 3 tries, and then either temporarily or permanently disables your password. When this happens, most of these systems just tells you that the password in incorrect, so that a hacker would not know that the password they try is really incorrect or disabled.

The one that lets you break in some other way and steal the password database. Then you can churn on the passwords as long as you like. When you get a password, you log in as that user and do whatever you want.

You know what will work even better? Implementing a smart password entry system that prevent brute force attempts. After 3 failures lock any attempted log-ins for 5 minutes. If 3 such failure occur in a row lock out the account until the user contacts support and requests log-ins be reactivated.

You can’t brute force a system that doesn’t allow an unlimited number of log-in attempts.

#1 is what is commonly referred to as a password by most people these days.

#2 is typically a physical device like a SecurID fob. With the number of smartphones out there frankly I’m surprised you don’t see more leverage of them as authentication devices. There are authentication apps out there like VeriSign Identity Protection for mobile devices.

#3 is the facial recognition sort of thing – it’s based on physical characteristics unique to you.

I’m betting it’s just a matter of time before all these technologies come together in some way. It’s already in use in many commercial environments. I used to work for a company whose servers were in a commercial datacenter that used all three authentication methods. To get onto the datacenter floor you had to go through a “man trap” which is about the size of a phone booth. Swipe an ID card to open the door, go into the trap and the door closes behind you. Inside you swipe your card, enter a PIN, and scan your hand. After that a second door opens that lets you enter the datacenter. I was told that the man trap also measured your weight to prevent somebody from entering with you.

Not at all. Verisign & SecurID base fobs on a pseudo-random number that’s regenerated every 60 seconds. Your fob is synchronized to an authentication server. To log into a site you enter your password and the number on the fob. The sever you’re attempting to log into verifies both your password and the number from the fob with the authentication server.

This is what Security Deposit Accounts in Australia use. As long as you keep the fob, you’ve got the randomized 12-digit security clearance code. Of course, this is used in conjunction with other security measures…

Thanks, you’ve summarized the issue well. I’ve been through those traps, they’re pretty cool. A few comments:

My concern is that we’ll start relying too heavily on “something you are” so that handprints, fingerprints, etc. will be the only/primary authentication method. The big problem with “something you are” is that once it’s lost/stolen, it can’t be changed. Except for Blade Runner, you can’t get a new retina or handprint. It may be difficult to use in person, but if its a virtual system (they’re not watching you put your hand on the scanner), it can be easier to spoof the data.

Did the author of this article RTFA?
It does NOT say that, “Students in Australia this week got around a roll-call system based around fingerprints by making copies of their fingerprints on gummy bears…”

The original article says that
“Henry Kendall High School…has pitched the system to parents…” (it is NOT in use yet)
and
“The hacks could potentially be used by students to make replicas of their own fingerprints…” (it has NOT been done yet)
and
“Japanese cryptographer Tsutomu Matsumoto used gelatin, the ingredient in Gummi Bears, to forge a replica finger that fooled 11 fingerprint scanners during tests in 2002…”
(Using the ingredient in Gummi Bears is not the same as using actual Gummi Bears.)

Students did not do this this week— the Japanese cryptographer experimented with this in 2002.

Pretty sure they told me in the security class I took last year that modern fingerprint scanners have solved the gummy bear problem. I mean, the gummy bear problem was identified 8 years ago. Anyway, there are levels of security. No truly high security authentication system would operate on biometrics alone. A student roll call system, though? Not exactly a high security application.

Two teraflops does not mean it guesses passwords at the rate of 2 trillion per second, only that it performs two trillion floating point operations per second when thoroughly optimized. That throughput is not sustainable and misleading.

The SSD “based” version is not optimized in any way other than that the SSD can load the tables faster than a mechanical drive and thus has less startup time. With a big chunk of RAM you can do it even faster.

Given that these involve using “tables” (e.g. rainbow tables) this is unfeasible when a site uses any form of salting with passwords. The cracker must also have the hashes for the passwords for this to be viable.

These are not tools you can point at a website or some IP and find someone’s password with. When it comes to security on your personal computer, a password of any strength is essentially only good enough to keep out casual interlopers. Unless you’re employing something akin to 256+ bit drive encryption, no password is going to keep out anyone who really wants your data once they have physical access to your laptop.

Each character you add to a password increases the difficulty in cracking it exponentially, so even if fourteen-character passwords can be cracked in 5 seconds, fifteen character passwords will take much longer. Unfortunately, a lot of password systems don’t allow extremely long passwords, or prohibit spaces (so you can’t do pass-sentences). For expert typists, anyway, typing eight words doesn’t take much longer than typing eight random characters, because our fingers are used to typing in our native language. Slower typists would have problems, but you can ameliorate that by having one master password that gets you into your computer, and have the computer handle the rest via public-key cryptography etc (or let the computer remember your Amazon password, so that you can have a different one for each site).

Does this really apply to where most people use passwords? Sure, they can attempt 84 quintillion times per second if both the lock and the key are inside their little speed-demon machines, but once you’ve got an external system involved, aren’t you a bit limited? I don’t think your average webmail, financial site, or World of Warcraft account are going to be able to respond with equal alacrity. That’s not even counting the ones that intentionally throttle password attempts, which most decent sites do these days.

Mostly would suck for those with locally-passworded content, like a TrueCrypt container or a KeePass database, I guess.

“Another is even faster, using an off-the shelf SSD drive to brute force crack 14 character complex passwords in 5 seconds.”

They did not brute force crack the password, they looked it up in a rainbow table.

A rainbow table is a table full of password-hash pairs that are pre-generated using a known hash (commonly md5). The technique to generate a rainbow table is similar to brute forcing, you create a hash of every combination of characters up to a given length.

Cracking using a rainbow table is just searching a list of hash’s for a KNOWN HASH. In the article’s example they looked in the password file of a Windows XP machine, and copied the hash. They then searched their rainbow table for the hash (which takes a long time depending on the size of the table) and when it found a match it shows them the related password.

This method can only be used if you have the password hash AND know how the hash is generated. If a hash is created using a salt, and you don’t know the salt, then your rainbow table is useless, and you won’t find a hash match.

Hackers don’t bother brute forcing passwords to systems consumer systems. They don’t have any data worth taking and why would they want to go to all that work when phishing is so effective.

Not to mention the chances are pretty high that someone uses a very common password in the first place.

The passwords that the majority of the population uses have been easily crackable for years. You could bruteforce an 8 character password in a couple hours in 2005.

Biometrics are annoying and not that hard to crack. get someone’s finger print and you can do it, something tells me facial recognition will be spoof able with a photo or video of someone’s face.

Really in general the solution to not having your computer cracked is to not give you password out to other people and to use a password that is not easy to guess. (avoid, birthdays, names, anniversaries, common passwords and things around your desk) Also, don’t write your password down.

As many have pointed out, raw password search speed is not the same as a practical attack on a particular system. There are other safeguards in place.

That being said, there are serious problems with using passwords alone for security. The most important is probably people’s tendency to choose weak passwords. There are also serious problems caused by password reuse and so on: if an attacker manages to steal a password on one site, there is a high chance that the same password will work for them on many sites. And, of course, passwords are vulnerable to keyloggers installed by local malware.

There are partial solutions to many of these problems, and passwords are an imperfect solution. But they are far from dead, and articles like this one overblow the threat to them that is posed by these offline, brute-force cracking attacks.

I’m not up on the latest technology but it seems to me the hash table has a finite number of characters to store the processed remains of the password. This hash is not unique to one password and probably could represent a very large number of possible passwords. Brute forcing every possible password will eventually hit one of these. The password may not be one that can be typed in since most systems do not allow upper ASCII characters, but still at some point, password complexity becomes a non-issue. Cracking one may become possible in a reasonable amount of time. The T.W.I.N.K.L.E. project shows that breakthroughs are still possible with a bit of creative thinking.

The password cracked in that article was a windows XP password. The encryption used for Windows XP passwords is laughable and 5 vs 10-15 seconds without SSD’s isn’t earth shattering. This stuff is a bunch of FUD that I saw on clueless “security” blogs a few days ago.

My new laptop has facial recognition authentication already. An Alienware from Dell. It does seem to have to ‘learn’ your face under different lighting and/or stages of bleary eyed semi-wakefullness. If you’re just too puffy eyed one morning, you can bypass it and log in the old fashioned way.

I think personal questions are much more effective than passwords. I’d prefer a two (or even three) tier system that asked me three personal questions of my choice before I could access the account. They can even be bogus questions like, “What is the name of Hector Blumbtwist Smodgepot’s pet ferret?”

The joke’s on them, you see. Hector doesn’t own a ferret. It’s a skinny wolverine!

Only the most stupidly designed authentication system would let more than a few failed authentication attempts through without invoking some other requirement, like a secondary auth (passcode via SMS) or some time period before another attempt can be tried.